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1 In this paper, we study the different possibilities to add two vectors of 

digits of a given length m. Our results show that there are at least 2™ l_1 
different additions of such vectors, while there exist only two types of addition 
|~ I '. that we may employ, addition with carry and addition without carry. The 

' proofs of our results are elementary. 

1 Introduction 

In this research note we investigate the different possibilities to add two digit 
vectors of the same length. 

Addition of digit vectors, in particular addition of binary vectors, is employed 
in many algorithms. Prominent examples in applied cryptography are the block 
ciphers IDEA [11] and AES [1] and several stream ciphers. We refer the reader 
to [12] and to the eSTREAM-project0 for details on such ciphers. 

The author's starting point into this question was the following observation. 
Any construction method for finite or infinite sequences of points is based on some 
arithmetical operations like addition or multiplication, on a suitable domain. 
It is most helpful if the algebraic structure underlying these operations is an 
abelian group. The choice of this group determines which function systems will 
^ " be suitable for the analysis of a given sequence, because the construction method 

is intrinsically related to function systems, via the concept of the dual group 
(see Hewitt and Ross [TO]). Different types of sequences require different types 
of function systems for their analysis. An example of such a suitable "match" 
between sequences and function systems in the theory of uniform distribution of 
sequences in the s-dimensional unit cube [0, l) s is given by Kronecker sequences 
or, in their discrete version, good lattice points, and the trigonometric functions. 
This construction method is based on addition modulo one (see Niederreiter [13^ 
Ch. 5] and Sloan and Joe [TO]). A second example are digital nets and sequences 
and, as appropriate function system, the Walsh functions. Here, addition without 
carry of digit vectors comes into play (see Niederreiter |13l Ch. 4] and Dick and 
Pillichshammer [2]). 
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One important type of a digital sequence, the Halton sequence, can also be 
generated by addition with carry, the underlying group being the compact abelian 
group of 6-adic integers. From the search for the appropriate function system in 
this case, the notion of the 6-adic function system originated. This concept was 
developed in series of papers (see [H El El El E] ; and for a background in ergodic 
theory [3]). 

These investigations led to the question if there are any other types of addition 
of digit vectors, because if not, then the Walsh functions in base b and the 6-adic 
function system and their combination in a hybrid function system (see [B] for 
this notion) cover all possible cases of function systems associated with additions 
of digit vectors. 

Our results below show that this is indeed the case: there are only two types 
of addition of digit vectors: addition without carry, which is also called XOR- 
addition, and addition with carry, which is also known as integer addition. 

We exhibit that, for a given length m of the digit vectors with digits in some 
given integer base b > 2, there are at least 2 m_1 different additions for such 
vectors. This large number may be increased considerably if we employ also 
automorphisms of suitable groups of residues. 

Our reasoning is elementary. It is based on a classical theorem on finite abelian 
groups and on the notion of compositions of positive integers. 

The ideas presented below might have applications in cryptography, for ex- 
ample in stream or block cipher algorithms. If the information which digits are 
added in which way in the enciphering scheme is kept secret, then this will add 
not only to confusion, but, as already used in IDEA, changing the type of addi- 
tion also adds to diffusion (for these two notions, sec [15]). Hence, breaking the 
cipher would be more difficult. 

2 Addition of digit vectors 

Let b > 2 be a fixed integer and let Ab = {0, 1, . . . , b — 1} denote the set of 6-ary 
digits. For m £ N, let A™ stand for the m-fold cartesian product of the set Ab 
with itself. 

We will study the following question, mostly in the case b = p a prime: What 
are the binary operations "+" on the set A™ of digit vectors such that the pair 
(A™, +) is an abelian group? 

Remark 2.1. In this paper, when we speak of an "addition on A™ v , we mean a 
binary operation "+" on the set A™ of digit vectors in base b such that the pair 
(A™, +) is an abelian group. 

The reader should note that the term "binary" has two different meanings 
in this paper, which will become clear from the context. A binary operation on 
a set G is a map from the cartesian product G x G into G. Referring to the 
representation of real numbers in base b = 2, the elements of the set A™ are 
called binary vectors, and for m = 1 one speaks of binary digits. 

Let us consider the case 6 = 2 first. There are two well known examples for 
addition of digit vectors. One is addition without carry and the other is addition 
with carry. 
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For n G N, n > 2, let Z/nZ denote the additive group of residue classes 
modulo n. We identify this cyclic group with the set of integers {0, 1, . . . , n — 1} 
equipped with addition modulo n. 

Example 2.2 (Addition without carry). We identify A2 with Z/2Z. For x, y £ 
Af, x = (x , . . . ,x m -i) and y = (y , . . . ,y m -i), we define 

x + y = (x © y , . . . , x m -i © y m -i), 

where '©' denotes addition on Z/2Z, OffiO = lffil = 0, and 0©1 = 1©0 = 1. The 
pair (A™, +) is an abelian group. In fact, it is isomorphic to the product group 
(Z/2Z) m . We call this binary operation addition without carry, or ~KOR-addition 
of digit vectors. 

Any nonnegative integer k, < k < 2 m , has a unique dyadic representation 
of the form k = ko + k\2 + • • • + fc m _i2 m_1 with digits kj € A2, < j < m — 1. 

Example 2.3 (Addition with carry). We identify A™ with the group Z/2 m Z. 
For x 6 A™, x = (xo, • • • , x m -i) , we define the map int2 : A™ — > Z/2 m Z, 

int 2 (x) = x + xi2 + • • • + x m _i2 m_1 . 

Further, let dig 2 : Z/2 m Z -> 

dig 2 (^) = (/co,^i,---,fc m -i), 

where A; = fco + k±2 + • • • + A; m ,_i2 m ~ 1 is the representation of k in base 2. Finally, 
for x, y € A™, we define 

x + y = dig 2 (int 2 (x) + int 2 (y) (mod 2 m )). 

With this binary operation the pair (A™, +) is an abelian group. Clearly, it 
is isomorphic to the additive group Z/2 m Z. We call this type of binary operation 
addition with carry or integer addition of digit vectors. 

For m > 2, our two examples are non- isomorphic groups, because one is cyclic 
and the other is not. 

Apart from these two examples, are there any other possibilities to define 
addition on the set A™ of binary digit vectors? 

From the Fundamental Theorem for Finite Abelian Groups (see [91 Sec. 10]) 
we obtain the following corollary. In this context, a partition of a positive integer 
m is a finite sequence (tj)[ =1 , r € N, of positive integers with the two properties 
(i) ti > i 2 > • • • > t r , and (ii) t\ + i 2 + • • • + t r = m. 

Corollary 2.4. The non-isomorphic groups of order 2 m , m G N, are given by 
the product groups 

(Z/2* 1 Z) x (Z/2* 2 Z) x • • • x 
where {ti) r i=1 is a partition of m. 
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Hence, in view of Corollary 12. 4\ an addition on the set A™ is denned if we put 

(Af, +) = (Z/2 tl Z) x (Z/2* 2 Z) x • • • x (Z/2* r Z), (1) 

where m = t\ + ti + • • • + t r is a partition of m. Here, the symbol "=" denotes 
that the two groups are isomorphic. 

As a consequence, there are at least as many possibilities to define addition 
on the set A™ of binary digit vectors of length m, as there are different partitions 
of the integer m. 

From the structure of the factors in ([1]) we obtain the following information. 

Corollary 2.5. The only two types of binary operations on (sub)vectors of digits 
that may appear in the group law of the abelian group (-4™,+) are the following: 

• addition given by finite product groups of the form (Z/2Z) x • • • x (Z/2Z), 
which is what we have called XOR- addition, or 

• addition in groups of residues of the form Z/2*Z, t > 2, which we have 
called integer addition. 

Denote the number of different partitions of m by P(m). We refer to the 
monograph |14| Ch. 2.5.1] for details on the partition function P like tables, or 
for results on its asymptotic behavior. 

For example, if m = 8, then there are P(8) = 22 non-isomorphic groups of 
order 2 8 , like the groups Z/2 8 Z, (Z/2 7 Z) x (Z/2Z), (Z/2 6 Z) x (Z/2 2 Z), and so on. 
Among these 22 non-isomorphic groups of order 2 8 , let us choose for illustration 
the group 

(Z/2 3 Z) x (Z/2 2 Z) x (Z/2Z) 3 . 

What addition on A\ does this group induce? Addition of two bytes x = 
(xq, . . . , xj) and y = (yo, • • • , Vt) is carried out as follows. The first three bits of 
x and y are interpreted as the three binary digits of two integers in the range 
{0, 1, . . . , 7}. These two integers are added, the resulting integer is reduced mod- 
ulo 2 3 , which gives an integer in the range from to 7, and the three binary digits 
of this integer give the first three digits of the sum x + y. In other words, for 
the first three bits, we carry out addition in the group Z/2 3 Z of residue classes 
modulo 2 3 . The same procedure, which we have called integer addition, is ap- 
plied to the next two bits. For the last three bits, the digit vectors (x^,xq,X7) 
and (2/5, ?/6) 2/7) are XOR-ed, because we have to perform addition in the group 
(Z/2Z) 3 . 

Observe that this is not the complete answer to our question. Our question 
concerned the different possibilities to add two binary vectors of length m. In 
the definition of such an addition, the position of each digit matters, whereas in 
Corollary 12.41 the order of the factors does not. The two groups 

(Z/2 3 Z) x (Z/2 2 Z) x (Z/2Z) 3 

and 

(Z/2Z) 3 x (Z/2 2 Z) x (Z/2 3 Z) 

are isomorphic, but they induce different additions on A\- In the first case, the 
first three digits of x + y are computed via integer addition, in the second case 
these three digits are computed by the XOR-operation. 
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In terms of representing a number m G N, this means we consider the repre- 
sentation 8 = 3 + 2 + 1 + 1 + 1 to be different from 8 = 1 + 1 + 1 + 2 + 3, because 
they induce different additions on A%- This leads us to the following definition. 

Definition 2.6. A composition of a positive integer m is a finite sequence of 
positive integers (U)l =1 , r G N, with the property m = t± + t2 + • • • + t r . 

Two such sequences which differ in the order of their summands are deemed 
to be different compositions, while they would be considered to be the same 
partition of m. The following result and its nice proof are well known. 

Lemma 2.7. Let C(m) denote the number of different compositions of m G N. 
Then 

C{m) = 2 m ~\ 

Proof. The case m = 1 is trivial. Let m > 2. In the scheme 

1D1D . . . D1D1, 

of m l's and m — 1 boxes, we may replace every box either by a plus sign or 
by a comma. A different choice for each of the m — 1 boxes leads to a different 
composition of m. □ 

We may summarize our findings as follows. 

Theorem 2.8. For the set A2 of binary digits and for m G N, the following holds 
for all binary operations "+" on the set A™ such that the pair (A™, +) forms an 
abelian group: 

1. There are only two types of addition of (sub)vectors of binary digits, addition 
without carry and addition with carry. 

2. The number of different additions on A™ that arise from the compositions 
of m is equal to 2 m_1 . 

The preceeding arguments may be generalized directly to the case of an arbi- 
trary prime base p instead of base 2. 

Corollary 2.9. Let p be a prime. Then there exist only two types of addition for 

vectors of p-ary digits, addition without carry, which corresponds to addition on 

finite product groups of the form (Z/pZ) x ■ • • x (Z/pZ), and addition with carry, 

which corresponds to groups of the form 'L/p 1 ^, t > 2. Further, for every m G N, 

the number of additions on A™ that arise from the compositions of m is equal to 
2 m-l < 

In case of a composite integer base b, b > 2, the situation is more complicated, 
because from the factorization of b into distinct prime powers many 'small' cyclic 
groups arise in the Fundamental Theorem for Finite Abelian Groups that cannot 
directly be related to operations on the 6-adic digits, as we did above. One 
will have to use the Chinese Remainder Theorem to treat these cases. We omit 
these technical details because they do not contribute any new aspects to our 
investigation. 
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Clearly, every composition of the positive integer m defines an addition on 
A™, by simply following the recipes given above. Hence, the number of different 
binary operations "+" on A™ such that the pair (A™, +) is a abelian group is at 
least 2 m_1 . 

In detail, the composition m = t\ + • • • + t r gives rise to the addition on A™ 
defined by the following product group: 

(AZ 1 , +) (Z/b h Z) x (Z/b h Z) x • • • x (Z/b u Z). (2) 



3 Combination with automorphisms 

In cryptographic applications of the ideas above, for example in stream ciphers, 
the information which of the m digits are added by XOR-addition and which by 
integer addition might become part of the key in the encryption scheme. 

We will increase the key space considerably by the following idea. Suppose 

that we have chosen the composition m = t± H \-t r of m. Hence, we obtain the 

group law on AV 1 from the product group given in ([2]). For a given factor Zjb l Z of 
this product we may combine integer addition with an arbitrary automorphism 
a of the group Z/b l Z as follows. For x,y € A l b , x = (xo, • • • ,Xt—i) and y = 
(yo, ■ ■ • ? Vt-i)i these t digits are added by the law 

x + y = dig fe (a(int 6 (x)) + <r(int 6 (y)) (mod &*)) . (3) 

Lemma 3.1. There are 93(6*) different ways to define the addition in 

Proof. The following reasoning is standard. Let a be an homomorphism of the 
additive group Z/tfZ into itself. Then a {a) = aa(l) for all a G Z/6*Z. Hence, 
a is an automorphism if and only if (a, 6') = 1. In other words, a belongs to 
the (multiplicative) group of prime residues (Z/6 Z)* modulo b l , which has ^p{b l ) 
elements. □ 

Theorem 3.2. Let p be a prime. Then, for any m G N, the compositions of m 
and the automorphisms of the associated groups of residues generate 

(p-i)(2 P -ir- 1 

different additions on A™, i.e., binary operations "+" such that the pair (A™, +) 
is an abelian group. 

Proof. For a given composition m = t± + • • • + t r of m into r components, 1 < 
r < m, we obtain the group law from 

(A£, +) (Z/p^Z) x (Z/p t2 Z) x • • • x (Z/p tr Z). (4) 

Due to Lemma 13-H this group product allows 




automorphisms. 
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The number of compositions of m with r terms is equal to the number of 
possibilities to chose r — 1 from the available m — 1 places to put a comma in the 
proof of Lemma 12.71 For this reason, there exist 




compositions of m into r terms. 

Hence, the total number of different additions on A™ that stem from compo- 
sitions of m and the associated automorphisms is given by 




= (p-l)(2p-l) 



□ 

Example 3.3. Let p = 2 and m = 8. There are 2 7 = 128 different additions on 
A% arising from the 128 compositions of the number 8. 

For the given composition 8 = 3 + 4-1-1, there are </?(2 3 ) = 4 different integer 
additions for the first three bits and y(2 4 ) = 8 for the next four bits, if we employ 
the combination of addition with automorphisms like in ([3]), and there is just one 
addition for the last bit. As a consequence, for this particular composition of 
m = 8, there exists not only one addition of 8-bit dyadic vectors but there are 32 
different additions available due to the combination with the 4 automorphisms 
of the factor Z/2 3 Z and the 8 automorphisms of Z/2 4 Z. 

Hence, if we allow automorphisms of the residue groups that appear as factors 
in the product group (J2|) , then from Theorem 13.21 is follows that there are 3 7 = 
2187 different additions of 8-bit vectors available. 

In the case of an arbitrary integer base 6, the result is the following: 

Theorem 3.4. Let b > 2 be an integer. Then, for any m£N, the compositions 
of m and the automorphisms of the associated groups of residues generate 

b m C b (l + c b ) m - 1 

different binary operations "+" on A r b n such that the pair (AV 1 , +) is an abelian 
group. Here, the number C b is defined as 

s 

c b = na - 

1=1 

where b = Ylt=iPt* * s ^ e factorization of b into distinct primes pi, with on € N ; 
1 < i < s. 

Proof. We translate the proof of Theorem 13.21 step by step from the case of a 
prime base p to the general base b. □ 
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